Smart Buildings May Be Smart, But Their Operational Technology (OT) Systems Are Vulnerable To Cyberattacks 

The fact Tesla automobiles and other Bluetooth-connected devices can be unlocked and controlled by a relatively unsophisticated hacker using minimal equipment should be a wakeup call for everyone, including security teams charged with protecting buildings, facilities and operational technology (OT) infrastructure. As buildings increasingly become smarter—and incorporate electronic door access and entry systems, smart sensors, motion detectors, automated lighting systems, elevator controls, power distribution, fire detection and suppression, surveillance cameras, HVAC equipment and similar network-connected devices to better facilitate monitoring and management—so, too, have the risks increased that unauthorized individuals and malicious actors may access these systems, establish persistence on corresponding equipment, corrupt settings and even use these footholds to penetrate further throughout corporate networks, as happened to Target. 

Many may be surprised to learn the actual number of smart building automation devices connected to larger business networks actually exceeds the number of laptop and desktop computers. So not only are a large number of facility management devices connected to the network, but each of these nodes further expands an organization’s threat surface and improves the statistical odds of a successful cyberattack. Intensifying potential trouble, operational technology, if hacked, can reveal personal information about each employee, as sensors and systems are increasingly being programmed to track individual preferences, permissions and location data, thereby increasing corresponding privacy risks. 

Because building automation and management controls fulfill essential responsibilities—including life safety functions—and provide access to organization’s broader networks, systems and sensitive data, firms must protect and monitor these components just as they do traditional information technology infrastructure. The problem is particularly acute, as OT systems are reportedly often overlooked by commercial firms and building managers and even who—building management, IT, the landlord or commercial broker, etc.—is responsible for managing them sometimes proves uncertain. 

Safeguarding the OT Infrastructure

Once building management responsibilities are assigned, attention naturally turns to securing the corresponding OT infrastructure. The United States Department of Commerce’s National Institute of Standards and Technology (NIST), looking to help, built and maintains a Cybersecurity Framework (CSF) standard organizations can adopt to better safeguard critical infrastructure. 

The NIST Cybersecurity Framework presents five elements: 

1. Identify – Emphasizes the importance of developing an accurate understanding of the systems, nodes, data and functions at risk to cybersecurity threats. 

1. Protect – Focuses on developing and implementing protections that safeguard service delivery. 

1. Detect – Prioritizes surfacing awareness of detected threats. 

1. Respond – Reinforces the importance of developing and implementing processes to follow when cybersecurity attacks occur. 

1. Recover – Targets preparing, maintaining and executing processes for restoring operations following a cybersecurity attack. 

Organizations should research, deploy and maintain cybersecurity solutions that improve each of these five elements. Such a strategy provides a strong foundation from which to identify, secure and maintain essential OT systems. 

How do OT and IT Differ From One Another

When working to protect OT equipment and networks, it’s important to understand how OT and IT differ. While IT systems typically power an organization’s front-end informational applications, hardware and networks, OT usually refers to an organization’s back-end components that power industrial operations. Yet, despite that important difference, many of the common OT cybersecurity recommendations for building managers and facilities administrators are similar to those for IT departments: 

1. Prioritize patching – Regularly patch operating systems, software applications and hardware firmware. 

1. Secure remote access – Restrict the users permitted to remotely connect to the network and require secure VPNs for remote connectivity. 

1. Segment networks – Separate systems and services across independent networks to help prevent infections from traveling across network boundaries. 

1. Deploy endpoint security protection – Deploy, monitor and maintain advanced threat protection-powered centralized endpoint protection software on all network-connected devices. 

1. Deploy firewall security services – Deploy, monitor and maintain advanced threat protection-powered firewall cyberattack defenses that include intrusion detection and prevention capabilities. 

1. Monitor systems for errors and attacks – Continual monitoring and alerting of firewalls, systems, networks and equipment helps detect cyberattacks that breach an organization’s defenses, which better assists rapid response when threats arise. 

1. Deploy a business continuity and disaster recovery (BCDR) solution – Despite best cyber defense efforts, breaches still sometimes occur, for which a robust BCDR solution can help speed recovery of critical operations. 

Despite these similarities, important differences between IT and OT systems remain. To help address those differences, building managers and facilities administrators can also adopt OT-specific cybersecurity solutions, such as the Honeywell Threat Defense Platform (HTDP). Honeywell’s offering works using Acalvio’s autonomous deception techniques to confuse and distract malicious actors targeting smart building apparatus, while also providing threat detection capabilities. 

Other OT-specific cybersecurity solutions are available, too, tailored to meet the unique nuances and behaviors of OT’s internet-connected components. Acalvio, Armis, Cisco, Darktrace, Dragos, Forescout, Microsoft, SCADAfence, Skybox Security and Tenable all offer cybersecurity solutions specifically for OT systems. 

Smart buildings and their operational technology systems fulfill essential functions and services. Smart buildings’ OT infrastructure provides a wealth of benefits, from heating and cooling efficiencies to enhanced life safety systems. Unfortunately, these same networks and devices also provide opportunities and vulnerabilities for malicious actors to exploit. Forward-thinking building managers, commercial office administrators and facilities teams will be well served reviewing their platforms and applying the same cybersecurity priorities as do IT professionals their networks. Adopting NIST best practices and deploying robust OT-specific cybersecurity solutions can go a long way in reducing corresponding threat surfaces and making it more difficult for hackers and unauthorized users to infect and compromise their organizations. 

Need more information regarding your smart building or another cybersecurity topic? Contact Louisville Geek at 502-897-7577 or email a technical expert at [email protected].